Security champions should be an integral part of your security team. When this position was first introduced five or so years ago as part of the cybersecurity structure, the security champion was someone from the development team whose role was to bridge the gap between development and security. The role of security champion has morphed a bit over the years, moving beyond just the technical aspects and acting as a security mentor or liaison for the overall organization.
As cybersecurity becomes more of a business operations concern, security champions play an increasingly important role in establishing an organization's security culture. Their roles range from training their co-workers in best security practices to assisting with security audits to threat reporting. All organizations need security champions to address cybersecurity threats, but how do you select the right people for the role?
Putting Together the Best Team
According to the OWASP Security Champions Playbook, there are six points to follow when selecting security champions. They are:
- Identify teams - will there be one team for the entire organization or will individual teams for each department?
- Define the role - recognize where the security challenges are within the organization and where security champions will be most effective.
- Nominate perspective champions - recognize that in many companies, this will be a voluntary, unpaid role and should include both technical and management representatives, but most importantly will have an interest or competency in cybersecurity efforts.
- Communication channels - security champions should meet regularly and have easy but effective ways to communicate between each other and with the overall security team.
- Knowledge base - define the roles of the security champions and security team and build a library of internal security protocols
- Maintain interest - new opportunities always start with excitement and energy, but it is vital to sustain this momentum through regular training opportunities and information sharing.
Your security champions -whether it is one person representing the organization or a team of people -should meet OWASP's playbook recommendations. Security champions don't have to be part of the organization's leadership team, but they should show leadership skills because they will be tasked with helping others follow security best practices. Those tasked with finding security champions should look for someone who has already proven an interest in cybersecurity -for example, someone who volunteers to assist with audits or regularly recognizes and reports potential attacks. Potential security champions should also demonstrate good people and communication skills, as they will be asked to mentor other employees and lead security awareness training.
Cyber threats are increasing and growing more sophisticated. By choosing good security champions to provide a link between all facets of the organization and the security team, you add another layer of protection for your network and data.